Amazon Cloud Drive forensic analysis

Jason S. Hale
One Source Discovery, 1313 Lyndon Lane, Suite 108, Louisville, KY 40222, USA
a r t i c l e i n f o
Article history:
Received 23 January 2013
Accepted 22 April 2013
Keywords:
Amazon
Cloud Drive
Computer forensics
Digital forensics
Forensic analysis
a b s t r a c t
Cloud storage is becoming increasingly popular among individuals and businesses. Amazon
Cloud Drive is a avor of cloud-based storage that allows users to transfer les to and from
multiple computers, with or without the use of a separate application that must be installed
on the users machine. This paper discusses the digital artifacts left behind after an Amazon
Cloud Drive has been accessed or manipulated from a computer. Methods available to a
forensic examiner that can be used to determine le transfers that occurred to and from an
Amazon Cloud Drive on a computer, as well as retrieving relevant Cloud Drive artifacts from
unallocated space is discussed in this paper. Two Perl scripts are also introduced to help
automate the process of retrieving information from Amazon Cloud Drive artifacts.
2013 Elsevier Ltd. All rights reserved.
1. Introduction
In spring 2012, Amazon released its cloud-based storage
system, calling it Amazon Cloud Drive. While some
marketing ads highlight a Cloud Drives ability as an online
MP3 player and storage system, an Amazon Cloud Drive is
capable of storing any type of le as long as it doesnt
exceed the 2 GB limit per le that is in place. There is an
initial 5 GB storage limit for a users Cloud Drive, however,
this can be increased by purchasing additional storage
space from Amazon.
Once a le has been uploaded to an Amazon Cloud
Drive, it may be downloaded from any location and by any
individual with knowledge of the login credentials associ-
ated with the Amazon account. While there is a desktop
application developed to help streamline the process of
transferring les to and from a Cloud Drive, the application
is not a requirement for le transfers.
Amazon Cloud Drive carries with it many of the same
forensic implications as other cloud-based storage systems,
however, it behaves a bit differently in that it does not have
a magic folder or location on the local hard drive that
will be automatically synced with the Cloud Drive. Instead,
a user must choose exactly which les and folders to store
on the Cloud Drive and transfer them using either the
desktop application or online interface. Regardless, the
threat of intellectual property theft remains and the ease
with which it may be accomplished is evident with cloud-
based storage. For instance, using an Amazon Cloud Drive, a
user may upload a database containing condential client
information and later download that database to another
computer without installing any additional software or
attaching a single removable device to either machine.
If forensic examiners are not knowledgeable regarding
the different types of cloud-based storage systems available
and what artifacts each may leave behind, they could miss
critical information during an investigation. The aim of this
paper is to inform forensic examiners of the specic arti-
facts left behind when an Amazon Cloud Drive is accessed
from a Windows operating system, as well as the methods
examiners may use to glean the most relevant information
from these artifacts.
2. Amazon Cloud Drive usage
2.1. Cloud Drive via online interface
An Amazon Cloud Drives online interface is quite sim-
ple and features the familiar right-side le listing, left-side
tree structure (as with Windows Explorer). Uploads are E-mail address: jhale@onesourcediscovery.com.
Contents lists available at SciVerse ScienceDirect
Digital Investigation
j ournal homepage: www. el sevi er. com/ l ocat e/ di i n
1742-2876/$ see front matter 2013 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.diin.2013.04.006
Digital Investigation 10 (2013) 259265
completed using an Upload Files button. Downloads are
completed using a Download button (les downloaded in
this manner must be downloaded one at a time). Deletion
operations may be completed using the Delete and
Permanently Delete buttons available in the online inter-
face. The Deleted Items area of a Cloud Drive behaves
similarly to the Windows recycle bin. When les are
deleted using the Delete option within the online inter-
face, they are moved to the Deleted Items area. A user may
then choose to restore specic items to their original
location from the Deleted Items or permanently remove
them.
While it is possible to perform any upload/download
task using the online interface, Amazons desktop applica-
tion makes the process easier. Arguably the most signi-
cant shortcoming of the online interface is that a user
cannot download more than one le at a time without
having the desktop application installed and running on
the local machine. A user may upload multiple les at once
using only a web browser, although they are reminded each
time about the existence of the desktop application (unless
the Do not remind me again option in selected in the
reminder dialog box).
When using the online interface to upload multiple les,
a check is made to determine if the Amazon Cloud Drive
desktop application is running on the local machine. If the
application is running, it will automatically be used for the
upload; the user is not given the choice of which method to
use. If the desktop application is not detected, a dialog box
will be displayed advertising the desktop application.
Choosing Not right now (indicating the user wishes not to
install the application) will continue the upload using only
the web browser.
2.2. Cloud drive via desktop application
The Amazon Cloud Drive desktop application allows a
user to streamline the transfer of les to and from a Cloud
Drive. Amazon currently offers a version of the desktop
application that is compatible with Windows as well as
the Mac OS X operating system. After the application is
installed, a user has the option to remain signed in so they
are automatically logged into their Amazon Cloud Drive
account each time the desktop application is started.
Once running, the desktop application has an upload
window that the user may choose whether or not to
display. If the application window is displayed, the user
may simply drag les and folders to the upload window to
begin uploading them to the associated Cloud Drive.
Alternatively, a user may drag les to the taskbar where the
desktop applications icon resides. Either way, the user will
be notied when the upload begins via notication from
the taskbar icon as well as the upload window.
When the desktop application is installed, it will be set
as the default method to use when uploading les or
downloading more than one le, even when interacting
with the Cloud Drive using a web browser. This may be
circumvented by ensuring the desktop application is not
running when interacting with the Cloud Drive via web
browser.
3. Testing
Testing of an Amazon Cloud Drive was conducted for the
scenario in which a user accesses and manipulates a Cloud
Drive via the online interface as well as via the desktop
application. Testing was conducted on fresh installations of
Windows XP Professional 32-bit service pack 3 and Win-
dows 7 Professional 64-bit service pack 1. Discrepancies
between tested operating systems will be noted where
applicable. Additionally, Process Monitor version 3.03 was
installed and used to monitor system activity.
3.1. Amazon Cloud Drive via online interface
The online interface of an Amazon Cloud Drive was
tested to determine the specic artifacts created on the
local machine as a result of a users interaction with a Cloud
Drive using a web browser. Microsoft Internet Explorer
versions 8.0.7601.17514 and 9.0.8112.16421 were used as
well as Mozilla Firefox version 14.0.1. Google Chrome was
not signicantly tested due to the fact that current versions
of the browser are reportedly incompatible with the online
interface of Amazon Cloud Drive.
Over a span of two weeks in August 2012, multiple les
and folders of varying size and type were uploaded,
downloaded, and deleted using only the online interface of
Amazon Cloud Drive, which may be viewed after logging
into a Cloud Drive account at http://www.amazon.com/
clouddrive. The desktop application was not running
during the upload or download process so as to not inter-
fere with the results obtained. Times of upload, download,
and deletion operations were noted for later comparison to
the extracted web browsing history.
After a known operation (upload, download, or dele-
tion) had been carried out on the Cloud Drive, the web
browsing history artifacts of the utilized browser were
extracted from the le system and analyzed on a separate
Windows 7 Professional 64-bit service pack 1 machine
using Digital Detectives NetAnalysis version 1.55. The
previously noted time of operation was then compared to
the corresponding time within the web browsing history
using NetAnalysis. When possible, web pages were rebuilt
using les fromthe browsers web cache. In such instances,
the content of cached les was examined in addition to the
individual record associated with the requested uniform
resource locator (URL).
3.2. Amazon Cloud Drive via desktop application
The Amazon Cloud Drive desktop application was tested
to determine the specic artifacts created on the local
machine as a result of a users interaction with a Cloud
Drive using the desktop application. The desktop applica-
tion, freely available for download from www.amazon.
com/gp/drive/app-download, was downloaded and inst-
alled on fresh installations of Windows XP Professional
32-bit service pack 3 and Windows 7 Professional 64-bit
service pack 1. The version of the desktop application
used was 1.1.0.
Over a span of two weeks in August 2012, multiple les
and folders of varying size and type were uploaded and
J.S. Hale / Digital Investigation 10 (2013) 259265 260
downloaded using the desktop application. The le name,
size, upload/download paths, and transfer times were
noted during the transfer operation for comparison to the
artifacts generated by the desktop application. During
specic testing scenarios, the transfer operation was
paused or cancelled using the context menu of the desktop
application icon fromthe Windows taskbar in order to note
changes to the artifacts created by the desktop application.
Additionally, network connectivity was intentionally
interrupted during specic transfer operations in order to
note changes to the artifacts created by the desktop
application. File system and registry activity were observed
during each testing scenario using Process Monitor to
identify any les or registry keys/values that were created
or modied during a transfer operation.
Following the completion or intentional interruption of
each transfer operation, the ADriveNativeClientService.log
le and 1319b5c6-2672-49b4-b623-bf5a33fd4c40.db le
were extracted from the le system and analyzed on a
separate Windows 7 Professional 64-bit service pack 1
system. Analysis of ADriveNativeClientService.log was
conducted using Notepad version 6.1.5; analysis of
1319b5c6-2672-49b4-b623-bf5a33fd4c40.db was con-
ducted using SQLite Database Browser version 2.0b1 and
WinHex version 14.9. The NTUSER.DAT Windows registry
hive of the user account from which the desktop applica-
tion was installed was also extracted and examined using
Access Data Registry Viewer version 1.6.3 for evidence
related to an Amazon Cloud Drive.
4. Cloud Drive via web browser forensic artifacts
4.1. Browser history les
As expected, the most forensically-rewarding location
for artifacts left behind after a user has interacted with the
online interface of an Amazon Cloud Drive is the local
machines web browsing history. Parsing the browsing
history database(s) of any browser installed on the local
machine may prove useful in determining whether an
Amazon Cloud Drive was accessed via the online interface.
Depending on the amount of interaction with a Cloud
Drive, numerous records with URL requests beginning with
https://www.amazon.com/clouddrive/api, followed by a
specic query to the Cloud Drive, may exist in the web
browsing history. The existence of such entries is a very
good indication that the user was accessing and manipu-
lating an Amazon Cloud Drive via the online interface.
However, these entries alone do not provide an examiner
with a great deal of detail regarding operations carried out
to a specic le on a Cloud Drive.
4.2. Web browser cache les
The key forensic artifacts when using an Amazon Cloud
Drive via web browser are found in the cache of the
browser used to interact with the Cloud Drive. Depending
on the method used by the web browser to store its cache
les, it may be necessary to reconstruct the cache before
gaining access to individual les (as in the case of Mozilla
Firefox). However, Microsoft Internet Explorers cache
(Temporary Internet Files folder) may currently be viewed
without reconstruction.
Within the web browser cache, there is a specic
type of le that renders the most useful information
during forensic analysis. The cache les created as a
server response to the getInfoById operation issued
from a web browser contain many relevant details that
may be used during forensic examination. Through web
browser history analysis, it was determined that the
getInfoById operation is issued following an upload or
delete operation carried out to a le on the Cloud Drive.
The content of these cache les always begins with the
text {"getInfoByIdResponse, followed by a number of
elds relating to the specic le for which information
was requested. The most useful elds identied within
these les were: le name, object ID, Amazon customer
ID, le creation date, le last updated date, cloud path,
le size, and MD5. A description of each eld and how
it may be used during forensic analysis can be found
below.
File Name
This eld lists the name, including extension, of the le
stored on the Cloud Drive.
Object ID
This is a GUID assigned to each le by the Cloud Drive to
uniquely identify les and folders stored on the Cloud
Drive. This eld is useful in tracking operations carried out
on specic les.
Amazon Customer ID
This eld may be useful in determining additional infor-
mation regarding the Amazon account being used with the
Cloud Drive. Visiting http://www.amazon.com/gp/pdp/
prole/customerID and substituting customerID with
the value fromthis eld may allowan examiner to viewthe
public prole associated with the Amazon account (RSS
Web Feeds for Tags at Amazon.com). If a prole has not
been set up by the user, the webpage will indicate such and
no further information will be available using this eld
value.
File Creation Date
This eld lists the creation date of the le that was uploa-
ded to the Cloud Drive. This timestamp reects the same
date/time that is listed in the online interface within the
"Date Added" column. The timestamp is in Unix Numeric
format and based on the time settings of the local computer
at the time the le was uploaded to the Cloud Drive.
File Last Updated Date
Similar to the le creation date eld, this timestamp is also
in Unix Numeric format. This time provides a close
approximation to the time that a le nished uploading to
the Cloud Drive and is based on the time settings of the
local computer from which the le was uploaded.
Cloud Path
This eld lists the full path of the le within the Cloud
Drive.
File Size
This eld lists the size of the le in bytes.
MD5
This eld lists the calculated MD5 hash of the uploaded le
as it exists on the Amazon Cloud Drive.
J.S. Hale / Digital Investigation 10 (2013) 259265 261
The information gleaned from the getInfoByIdRes-
ponse web browser cache les is helpful in that it provides
a wealth of information about the referenced le. The
downside to the information fromthese cache les is that it
does not provide information regarding specic operations
carried out to each le. Based on the information from the
getInfoByIdResponse les alone, an examiner is unable to
determine whether the original getInfoById request that
generated the cache le was issued as a result of an upload
or delete operation. To answer such questions, it is neces-
sary to examine the content of other types of web browser
cache les. Each relevant type of cache le is described in
the following section.
createByIdResponse
The content of the web browser cache les created as a
response to the createById operation begins with the text
{"createByIdResponse. The createByID operation cor-
responds to a le being uploaded to the Cloud Drive using
the online interface. These cache les include information
such as the le name and the Cloud Drive object ID, but lack
elds that are present in the getInfoByIdResponse cache
les (specically the MD5 and cloud path elds).
recycleByBulkIdResponse
The content of the web browser cache les created as a
response to the recycleByBulkId operation begins with
{"recycleByBulkIdResponse. The recycleByBulkId oper-
ation corresponds to a le on the Cloud Drive being sent to
the Deleted Items area via the Delete button. These cache
les contain little information about the recycled le(s)
other than the Cloud Drive object IDs. If more than one le
is recycled at once, the respective object IDs are separated
by commas (as opposed to a separate cache le create for
each recycled le).
removeByBulkIdResponse
The content of the web browser cache les created as a
response to the removeByBulkId operation begins with
{"removeByBulkIdResponse. The removeByBulkId ope-
ration corresponds to a le on the Cloud Drive being
removed from the Deleted Items area via the Permanently
Delete button. As with the "recycleByBulkIdResponse"
cache les, only the object ID for each deleted le is avail-
able. After les are removed using this method, they are no
longer available on the Cloud Drive.
It is possible to manually extract each eld from the
relevant web browser cache les using a text editor, how-
ever, doing so would likely prove to be a time-prohibitive
task (not to mention the inherent risk of human error). To
resolve this issue, I have written a Perl script that, when
given the path to a directory, scans each le within the
directory for cache les related to an Amazon Cloud Drive
and parses the previously mentioned elds within each le.
The script is titled acdCacheParse.pl and requires a single
input variable (the path to the directory containing the
cache les) and outputs the resulting dataset in comma
separated format, which allows for viewing the parsed in-
formation in an external spreadsheet application upon
redirection to a le. AcdCacheParse.pl may be freely
downloaded from http://code.google.com/p/dfstream/
downloads/list.
5. Cloud Drive via desktop application forensic
artifacts
5.1. Registry artifacts
It comes as no surprise that installing the Amazon
desktop application results in modications to the Win-
dows registry. There are multiple modications made
during the installation, however, it appears that informa-
tion regarding uploads and downloads is not stored in the
registry. The following registry keys/values were noted as
being associated with the installation of the Amazon Cloud
Drive desktop application. The location of each key/value
was identical for Windows XP and Windows 7.
HKEY_CURRENT_USER\Software\Amazon\Amazon
CloudDrive
HKEY_CURRENT_USER\Software\JavaSoft\Prefs\com\
amazon
HKEY_CURRENT_USER\Softwar-
e\Microsoft\Windows\CurrentVersion\Run: Value created
for Amazon Cloud Drive
The standard registry locations used for tracking appli-
cation usage, such as UserAssist, are still applicable but
were not included in the previous list.
5.2. Installation paths
Upon installing the Amazon Cloud Drive desktop applica-
tion on a Windows machine using the default settings during
installation, Amazon Cloud Drive application les were found
to be stored in the following locations for Windows 7:
\Users\<user>\AppData\Local\Amazon\Cloud Drive:
Amazon Cloud Drive application les (including the
Cloud Drive executable les)
\Users\<user>\AppData\Roaming\Microsoft\Window-
s\Start Menu\Programs\Amazon\Cloud Drive : shortcut
to AmazonCloudDrive.exe
\Users\<user>\AppData\Roaming\Microsoft\Window-
s\SendTo: shortcut to AmazonCloudDriveSendTo.exe
The following locations were observed being associated
with Amazon Cloud Drive after a default installation in
Windows XP:
\Documents and Settings\<user>\Local Settings\Appli-
cation Data\Amazon\Cloud Drive: Amazon Cloud Drive
application les (including the Cloud Drive executable
les)
\Documents and Settings\<user>\Start Menu\Prog-
rams\Amazon\Cloud Drive: shortcut to AmazonCloud
Drive.exe
\Documents and Settings\<user>\SendTo: shortcut to
AmazonCloudDriveSendTo.exe
5.3. 1319b5c6-2672-49b4-b623-bf5a33fd4c40.db
1319b5c6-2672-49b4-b623-bf5a33fd4c40.db, referred
to as {GUID}.db hereafter, is a SQLite database used by the
J.S. Hale / Digital Investigation 10 (2013) 259265 262
Amazon Cloud Drive desktop application and stored in the
Amazon\Cloud Drive folder of the users AppData (or
Local\Application Data) directory. It appears that the le
name may be associated with the version of the desktop
application. One fact supporting this theory is the existence
of the /T/O/S/Ver_1319b5c6-2672-49b4-b623-bf5a33fd
4c40 value within the HKEY_CURRENT_USER\Softwar-
e\JavaSoft\Prefs\com\amazon\adrive\client\auth Windows
registry key. The data associated with this value on all
tested systems was 1.0.0. Additionally, the le name of
{GUID}.db remained the same across all tested machines
and operating systems. However, the true meaning behind
this GUID is unknown at this time.
This SQLite database holds the transfer tasks (les that
will be uploaded/downloaded) while the tasks status is
PENDING. In other words, the queue of transfers is held
within this database. As transfers are completed, the
associated record is removed from the database and logged
to the ADriveNativeClientService.log le. When a transfer
operation is cancelled, the associated database records are
removed and are not logged to the ADriveNativeClient-
Service.log le. When a transfer is interrupted due to loss
of network connectivity or a user pausing the transfer,
pending transfer tasks are remain in {GUID}.db until the
transfer operation resumes and status of each task is
updated to FINSIHED.
When records are removed from {GUID}.db, they do not
appear to be wiped and may still be recoverable until they
are overwritten by new data. Depending on the difference
between the number of transfers from one upload/down-
load operation to the next, the deleted database records
may be reused very quickly or remain in-tact for some time.
Vacuum operations are disabled for this database, as noted
by absence of value data at byte offsets 52 and 64 of the le
(The SQLite Database File Format). Given this fact, it is
possible that if there were a large number of les being
transferred at once, {GUID}.db could grow to be fairly large
(one test sample grew larger than 6 MB), as many transfer
tasks would have a PENDING status and therefore the
associated le information would be written to the data-
base. Consequently, many of the database records created
during such a large transfer (and removed thereafter)
would likely not be overwritten unless there were another
transfer comprising an equally large number of les.
5.4. ADriveNativeClientService.log
ADriveNativeClientService.log, located in the Ama-
zon\Cloud Drive folder in the users AppData (or Local\-
Application Data) directory, holds the most useful
information for forensic analysis regarding usage of the
Amazon Cloud Drive desktop application. This ASCII text
le logs one line per transaction and is appended to after
interaction between the desktop application and the Cloud
Drive occurs. This includes successful uploads and down-
loads as well as transfer errors. This le is a requirement for
the desktop application and will be recreated if it is not
found in the correct location when a transfer begins.
ADriveNativeClientService.log holds information regar-
ding each successful upload or download. Additionally, log
entries may be recorded for les that were in the process of
being transferred when network connectivity was lost or
the transfer was cancelled. It is important to distinguish
between the les that were in the process of being trans-
ferred and those that were in the queue to be transferred,
as those in the queue - as noted with a PENDING status -
will be held in the {GUID}.db SQLite database.
The information stored on each line of ADriveNative-
ClientService.log may be broken up into a few important
elds:
Parent Task ID: This eld is either populated with a value
of upload or download and reects the type of
transfer the log entry is describing.
Status: This eld lists the status of the transfer at the
time the entry was logged. This eld should usually have
a value of FINISHED, but it is possible for the value to
be PENDING or RUNNING if the le was in the pro-
cess of being transferred when network connectivity
was lost or the transfer was canceled.
Local Path: This eld lists the path to the le referenced
in the log entry on the local machine. For uploads, this
will be the original location of the le on the disk (or
removable device). For downloads, this will be the path
to which the downloaded le was saved.
Cloud Path: This eld lists the path to the le referenced
in the log entry on the Cloud Drive. For uploads, this will
be the location on the Cloud Drive that the transferred
le is saved. For downloads, this will be the location on
the Cloud Drive from which the le was downloaded.
File Size: This eld lists the size in bytes of the le
referenced by the log entry.
An immediate difference that may be noted between
the information available from the ADriveNative-
ClientService.log and that which is available through
parsing relevant web browser cache les is the absence
of transfer timestamps. This appears to be an inherent
shortcoming of ADriveNativeClientService.log, as a clear
indication or log entry documenting such timestamps does
not currently exist.
As with the browser cache les, it is possible to manu-
ally parse the relevant information from ADriveNative-
ClientService.log. However, this too would likely prove to
be a time-intensive process (depending on the number of
les transferred) and is thus made easier through auto-
mation. For this reason, Ive written a Perl script that ac-
cepts the path an ADriveNativeClientService.log le as
input and outputs the elds previously described in comma
separated format. The script is titled acdLogParse.pl and
may be freely downloaded from http://code.google.com/
p/dfstream/downloads/list.
5.5. Artifacts remaining after uninstallation
After uninstalling the Amazon Cloud Drive desktop
application using the standard uninstaller from the Win-
dows control panel, the executable les associated with
program are removed, along with the .ico, .bmp, and
various folders within the users AppData\Local\Amazon\-
Cloud Drive (Local Settings\Application Data\Amazon\
J.S. Hale / Digital Investigation 10 (2013) 259265 263
Cloud Drive) directory. The ADriveNativeClientService.log
and {GUID}.db les, on the other hand, remain intact within
the original folder. Incidentally, the log le and database
persist if the application is reinstalled at a later date; they
are not removed or replaced by a new version of the les.
Amazon Cloud Drive-related keys and values from the
Windows registry are not completely removed upon
uninstallation of the desktop application. Specically, the
two keys listed below remain active within the registry.
HKEY_CURRENT_USER\Software\JavaSoft\Prefs\com\
amazon\clouddrive
HKEY_CURRENT_USER\Software\Amazon\AmazonClou
dDrive
The existence of the registry keys above in the event
that the desktop application executable le is no longer
active in the le system may be an indication that the
application had been uninstalled by the user. After unin-
stallation, HKEY_CURRENT_USER\Software\Amazon\Amaz
onCloudDrive contains a single value of initialized with
the value data being true. When the desktop application
is installed on the system, this key should contain four
values (including initialized).
6. Information available using online interface
As previously mentioned, the online interface of an
Amazon Cloud Drive is very simple. If an examiner is
provided the user credentials to access the online inter-
face, it may help validate or supplement ndings from the
local machine. The online interface includes the le name,
type, size, and date added for each le stored on the Cloud
Drive. The date added value corresponds to creation date
value located within the web browser cache les. The
Deleted Items area may be helpful in determining what
les have been removed from the Cloud Drive as well as
when they were deleted. The time of deletion may be
obtained from the Deletion Date column within the
Deleted Items area. This date/time value is displayed ac-
cording to the time zone settings of the computer used to
access the Amazon Drive. Accordingly, if the computer
used to send the le to the Deleted Items area was on a
separate time zone than that of the machine the examiner
is using for review, the listed deletion time may be
inaccurate.
7. Carving Amazon Cloud Drive artifacts
The predictable manner in which Amazon Cloud Drive
artifacts are constructed allows for carving Cloud Drive-
related les from unallocated space. In the case of web
browser cache les, carving the entire le may be accom-
plished through the use of a dened header and footer
value. The log le used with the desktop application,
ADriveNativeClientService.log, must be carved record by
record as the le itself is a simple text le and the rst and
last log entries are not predictable. The header and footer
values for the web browser artifacts discussed in this paper
are listed in Table 1.
A textual representation of the header values is
{getInfoByIdResponse, {createByIdResponse, {recycle-
BulkByIdResponse, and {removeBulkByIdResponse. A
textual representation of the footer value for the web cache
artifacts is }}}. Carving experiments have resulted in
recovering many of these les from unallocated space with
very few false positives. Once recovered, the les can be
either manually examined or saved to a single directory and
parsed using acdCacheParse.pl.
The header and footer values for ADriveNative-
ClientService.log records are listed in Table 2.
Regular expressions for locating the header and footer
values for each ADriveNativeClientService.log record were
given because a regular expression will be needed to
accurately locate the end of each log record. Each record
should begin with the word DEBUG, however the end of
each log is variable because the le size is the last eld
listed in the record. To account for this variable, the syntax
[09]\x20 is used to locate any number with a trailing
space. A human readable version of this regular expression
footer value might read lesize * . Once recovered,
these records may be saved as individual les within the
same directory and either examined manually or parsed
using acdLogParse.pl with the -d ag (instructing
acdLogParse to attempt to parse all les within a directory)
passed to the script.
8. Methods of forensic analysis
8.1. Determining le transfers
When faced with the task of determining what les
were transferred to or from an Amazon Cloud Drive, an
examiner has three options:
1. Access the Cloud Drive with the users credentials to
determine what les are stored on the Cloud Drive.
2. Extract the browser cache les from the local machine
and view or parse the relevant information from cache
les relating to Amazon Cloud Drive usage.
3. Extract the ADriveNativeClientService.log le from the
local machine and view or parse the relevant elds from
the log.
Table 1
Amazon Cloud Drive web browser cache le header and footer values.
Cache le 0x Header 0x Footer
getInfoById 7B 22 67 65 74 49 6E 66 6F 42 79 49 64 52 65 73 70 6F 6E 73 65 22 7D 7D 7D
createById 7B 22 63 72 65 61 74 65 42 79 49 64 52 65 73 70 6F 6E 73 65 22 7D 7D 7D
recyleBulkById 7B 22 72 65 63 79 63 6C 65 42 75 6C 6B 42 79 49 64 52 65 73 70 6F 6E 73 65 22 7D 7D 7D
removeBulkById 7B 22 72 65 6D 6F 76 65 42 75 6C 6B 42 79 49 64 52 65 73 70 6F 6E 73 65 22 7D 7D 7D
J.S. Hale / Digital Investigation 10 (2013) 259265 264
As access to the user credentials may be unavailable, the
latter two options may yield the most useful information.
Furthermore, simply accessing a users Cloud Drive will
provide the examiner with little detail regarding transfer
and usage history of the les stored on the Cloud Drive. The
web browser cache les should always be parsed for Cloud
Drive-related data as the browser may be used for le
transfers regardless of whether the desktop application is
installed on the machine.
When searching for evidence that les were down-
loaded from an Amazon Cloud Drive, careful examination
of the web browsing history database(s) will be necessary,
especially if the desktop application is not installed. As the
same information regarding downloaded les does not
seem to be present in the web browser cache, it will be
necessary to search for URL requests containing the text
downloadbyId within the browser history database.
Hits on this search should occur within the query portion
of the URL and resemble https://www.amazon.com/
clouddrive/?downloadByIdf9e63141-7e8d-412b-88b7-
7a5c152a9b26. An examiner may then compare the object
ID listed after the downloadById string to the object IDs
gathered from any getInfoById web browser cache les
that exist on the machine. If a matching object IDis found, it
is likely that the information listed in the elds of the
getInfoById cache le describe the le referenced by the
URL request located in the browsing history database.
If the use of an Amazon Cloud Drive is suspected but
there are no artifacts actively stored in the le system, an
examiner may attempt to carve Cloud Drive-related arti-
facts from unallocated space. Header and footer informa-
tion for Amazon Cloud Drive-related les was detailed in
Section 7 of this paper.
8.2. Determining le transfer times
Determining the date and time les were transferred to
or from an Amazon Cloud Drive will be dependent on the
method of transfer used and the level of access the exam-
iner has to the Cloud Drive. If the user credentials are
known and the Cloud Drive may be accessed using a web
browser, the Date Added column will provide the time of
upload. If the Cloud Drive cannot be accessed in this
manner, the timestamps associated with data transfers
must be gathered from the web browser cache les. If the
desktop application was used for the transfer of les and an
examiner cannot access the online interface of the Cloud
Drive, the examiner will be unable to determine the
transfer times based on the information stored on the local
machine.
It is recommended to analyze or parse the associated
web browser cache les regardless of whether the user
credentials to the Cloud Drive are known. One reason for
such is due to the fact that if a user permanently removes a
le from the Cloud Drive, the Date Added information will
be lost if the examiner only views such details using the
online interface. However, if the same user account/com-
puter combination was used to both upload (via web
browser) and delete a le, information about the deleted
le such as le name, paths, and MD5 may be found in
the web browser cache les. In such a scenario, acdCa-
cheParse.pl will nd and present any existing information
describing les that have been deleted from the Cloud
Drive. Information such as the le path and MD5 describing
les deleted fromthe Cloud Drive (recycled or permanently
deleted) would be otherwise unavailable.
9. Conclusion
This paper presented digital artifacts created by the use
of an Amazon Cloud Drive for the purpose of forensic
analysis. Additionally, recovery of Cloud Drive artifacts
from unallocated space through the process of data carving
was explored. Two Perl scripts, acdCacheParse.pl and
acdLogParse.pl, were also introduced in an effort to ease the
amount of time and effort that would be required for an
examiner to manually parse the information from Cloud
Drive artifacts.
Cloud-based storage will likely remain a popular me-
dium used in transferring les for the foreseeable future.
Digital forensic examiners will need to be knowledgeable
about the different cloud storage providers in order to
conduct thorough, accurate, and efcient investigations.
This paper set out to provide the examiner with an un-
derstanding of the methods that he or she may utilize
when approaching the forensic analysis of an Amazon
Cloud Drive.
Acknowledgments
I would like to thank Dr. Andrew Cobb for his assistance
in reviewing this article and offering helpful suggestions for
improvement.
References
RSS Web feeds for tags at Amazon.com. Amazon, n.d. Web. 12 Aug 2012.
http://www.amazon.com/gp/tagging/rss-help.html.
The SQLite database le format. SQLite. N.p., n.d. Web. 25 Aug 2012.
http://www.sqlite.org/leformat2.html.
Table 2
ADriveNativeClientService.log record header and footer values.
File Regex header Regex footer
ADriveNativeClientService.log Record \x44\x45\x42\x55\x47\x20 \x66\x69\x6C\x65\x73\x69\x7A\x65\x3D[09]\x20
J.S. Hale / Digital Investigation 10 (2013) 259265 265